Too late in the long process of creating an offline Standalone RootCA, the internal (to our network) Online Enterprise Issuing CAs and the External Online Standalone (ie, not a member of our domain) CA, I realized an error in our RootCAs CAPolicy.inf file. I should have created two Policies with different OIDs - one for the internal Issuing CAs, and one for the external Issuing CA.  I have one.  The two Issuing CAs will have different policies due to their very different role in the organization.

I have already done a -dspublish on the Root CA into our AD DS.

I have not yet done a -dspublish on the subordinate Internal Enterprise Issuing CAs nor on the External Issuing CAs if that makes a difference.

I have installed the internal Enterprise Issuing CAs, but they have not yet issued any certificates.  These internal CAs will only be used for domain related certs (domain controller KDC, workstation certs etc etc) and "internal" usage, and will never issue a cert that will matter outside our domain.  They are already domain members and their certs have already been signed by the RootCA.

I have also installed the external Issuing CA, which is not a member of the domain (and wont be), and have had the RootCA sign its certificate.  The External CA has not yet issued any certificates.

I would like to go back and edit the CAPolicy.inf file on the standalone rootca to allow two policies OIDs.  I assume that means re-generating the RootCA's certificate.  Is that a "renewal"?  or a "new cert"?  What are the implications on the Internal Issuing CAs and the external CA?  If I create a new Cert for the RootCA, can I somehow "get rid of" the currently existing cert already in my DS?  Is that "bad"?  :-)

When you reissue a cert with the same keypair (ie, not generating a new key pair), what happens to the "old version" of the Cert?  Is it now revoked?  What happens to subordinate CAs that were signed with the previous version of the certs?  Do they need to be renewed & signed by the new cert also?

All the CAs are running Server 2012.

Id really like not to reinstall/recreate everything from scratch again if possible.

Thank you for any insight/help/guidance.

I have an IAS server running on Windows 2003.  This server has been in production for 5 years, authenticating requests from a Netscreen 5GT firewall. Last week I replaced the 5GT with a new Juniper SSG20 firewall.  I now cannot authenticate.  I've worked with Juniper support and we've rebuilt the entire configuration and we continue to get access denied due to an incorrect username or password.  I've pasted the parsed logs from a failed authentication attempt below.  Can anyone see something in there that might be causing this problem?

Thanks,
Joe

NAS IP: 192.168.10.254
Client Username: administrator
Timestamp: 07/03/2014 14:05:29
Service: IAS
RADIUS Server: Server001
Acct-Session-ID: NS-0000000b
NAS-IP-Address: 192.168.1.254
NAS-Port: 11
NAS-Port-Type: Virtual (VPN)
Called-Station-ID: 70.110.119.250
Calling-Station-ID: 99.190.125.225
Vendor-Specific: 0x00000C980A0600000003
Client-IP-Address: 192.168.11.254
NAS-Manufacturer: 0
Client-Friendly-Name: Netscreen FW
Provider-Type: Windows
Proxy-Policy-Name: Use Windows authentication for all users
SAM-Account-Name: domain\administrator
Fully-Qualified-User-Name: domain\administrator
Authentication-Type: 1
Class: 311 1 192.168.1.251 07/03/2014 18:29:58 12
Packet-Type: Accept-Request
Reason-Code: Success
--------------------------------------------

NAS IP: 192.168.1.254
Client Username: administrator
Timestamp: 07/03/2014 14:05:29
Service: IAS
RADIUS Server: INFRATROL001
Class: 311 1 192.168.1.251 07/03/2014 18:29:58 12
Authentication-Type: 1
Fully-Qualified-User-Name: domain\administrator
SAM-Account-Name: domain\administrator
Proxy-Policy-Name: Use Windows authentication for all users
Provider-Type: Windows
Client-Friendly-Name: Netscreen FW
NAS-Manufacturer: 0
Client-IP-Address: 192.168.1.254
Packet-Type: Access-Reject
Reason-Code: Authentication failure
--------------------------------------------

I checked the IP address 192.168.0.145 in our network. But it does not exist. Why this event log keeps showing?

ID= 4625; Src= Microsoft-Windows-Security-Auditing; User= ; Catg= 12544; D/T= 07/02/2014 13:44:23; EventDesc= An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name:
Account Domain:
Failure Information:
Failure Reason: %#04
Status: 0x80090308
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: 192.168.0.145
Source Port: 51982
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Hello!

I have not found answer to my question, so I am posting it here.

In our network we are behind Forefront TMG and on seperate machine we are running DNS server.

Is it possible that DNS server would make DNS queries to internet DNS server using DNSSec. I do not need DNSSec in my local network, because it is phisically isolated. I only need my local DNS server to use DNSSec when making queries out to the Internet.

Is this possible? We are running Windows Server 2008 r2.

Thank you!

Recently on my Home Server 2011, three important services have been failing to run: Windows Server Addins Infrastructure Service, Windows Server Identity Management Service, Windows Server Server Backup Service.

Because the Server Backup Service is one of those failing, falling back on a backup doesn't seem to be an option. As best as I can tell, the failures are associated with the Application Log entries below. Any idea what I can do to remedy this situation? None of the suggestions I've found seem to be a very good match.

Warning:

Errors:

I have servers in a "closed" network, ie no access to the World Wide Web (WWW).  I have server errors within the CAPI2 log that I want to resolve.  I know these errors are valid because it can't reach WWW to verify revocation server so thus the errors.  How to I get this process to stop on the certificates?

Example of an error:

Event 11, CAPI2 (Build Chain)

CertGetCertificateChain

-Certificate

[fileRef] xxxxxxxxxxxxxxxxxxxxxxxxxx.cer

[subjectName] Microsoft Time-Stamp Service

-AddiditionalStore

-Certificate

[fileRef] xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.cer

[subjectName] Microosft Windows Production PCA 2011

-Certificate

[fileRef] xxxxxxxxxxxxxxxxxxxxxxxxxxxx.cer

[subjectName] Microsoft Windows

-Certificate

[fileRef] xxxxxxxxxxxxxxxxxxxxxxxxxxxx.cert

[subjectName] Microsoft Time-Stamp Service

[Result]

The revocation function was unable to check revocation because the revocation server was offline

[value] 80092013

It is offline because it probably can't reach out on the WWW to verify revocation.  How do I get windows to stop doing this on these certificates.  I have other certificates that I need to verify revocation and these are working as expected.

Thank you!

Dear All,

Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:

Number of forests: 2

1. First is with name of domain1.local

2. Second is with name of domain2.local

Trust Level: One Way trust from domain1 and domain2.

CRM Farm Details:

1.  1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)

2.  1 SQL Server (CRMSQL-01.domain1.local)

3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)

4. CRM site url: http://mscrminternal.domain.local/MSORG1

*I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.But once I tried to access for users of domain2. I am getting following error.

HTTP Error 401 - Unathorized: Access denied.

*If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.

I read MS article, Kerberos delegation can be established if one way FOrest trust is present.

Please help me to understand if Kerberos is possible to setup cross forest oneway trust.

Regards

Gyan

GYAN SHUKLA

Hi

In my environment the auto certificate enrollment for computers not happening through GPO.

Domain computers has permission of enroll on computer certificate template.

Please suggest.

Regards,

Deepak S

Hello

I am coming from strong linux background.
We have more than 10 linux servers used by various customers.
I don't have faith in passwords, so, we use key pair authentication in all our linux servers.
As anybody can try to guess the passwords in brute-force.
So please let me know what are the equivalent options available for Microsoft Remote Desktop.
We have already invested lot of money in Microsoft Windows Products and not interested investing more to secure the authentication, so, please don't suggest any commercial products or SSL Keys.

Hello. I posted this in the SBS section, but i received no replies. Maybe this question fits here better i hope.

I am using windows SBS 2008.

Windows Server Standard FE SP2

ver   6.0.6002

I am trying to run Windows updates.

i receive   Windows modules installer service terminated - specified module cannot be found

I am trying to work through KB959077.

I do not have the   C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_<var>TrustedInstaller ID</var>_none   directory that the KB959077 references..       there is no "servicing stack" directory

I could not locate information on what to do when encountering the absence of this directory. Does anyone have any ideas on what i might try next?

thank you.....

I've been trying to duplicate the Basic EFS template as either a Windows 2003 or 2008 template and everytime I use the new template via GPO to encrypt (EFS) any files/folder, I keep getting the "Element Not Found" error.  I've looked all over event logs and can not find any errors that will point me in the right direction to troubleshoot this issue.  I noticed it will only work if I use the Basic EFS template.  I've Google and have found several forum posts that states to duplicate the Basic EFS template as a Windows 2003 template to fix this problem, but I'm still getting the same error.  Any help is appreciated.  

Thank you.

Hi

Just migrated the CA onto Windows Server 2008 R2, which is a DC holding no FSMO roles in a 2003 domain/forest.

I get this in PKIVIEW. (can't post links or images)

AIA Location #2

Unable to download

http://caserver.domain.local/certenroll/caserver.domain.local_domain.crt

DeltaCRL Location #2

Unable to download

http://caserver.domain.local/certenroll/domain+.crl

CDP Location #2

Unable to download

http://caserver.domain.local/certenroll/domain.crl

If I copy and paste the HTTP URL from PKIVIEW, I get

  340:   341:                 <anonymousAuthentication enabled="true" userName="IUSR_CASERVER" password="[enc:AesProvider:AKIysICQmyYDzE7MMPeurKuIWeg6dv13xwaG7af+cq7DNEPpLsQvWXtvMY+uzvMc:enc]" />
  342: 

(names have been changed to protect the innocent)

I'm guessing the inability to download the CRL/CRT files is related to permissions on the private keys/within the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder. Would re-mapping to the IUSR accounts help as per http://support.microsoft.com/kb/946139/en-gb?

Any thoughts?

In fact I have two CSRs that I would like to get certificates for: one from a Sonicwall firewall, one from a Lync 2010 Edge server which is not domain joined.

I have a CA which has been upgraded many times. I'm trying to understand how to access the various templates:

There is a "Web Server Windows 2000 template version 4.1" but it has only 1024 bit key; this is accessible in the certsrv web interface. I don't want to use it.

There is a "Web Server 2048 template Windows Server 2008 Enterprise version 100.4", which would seem a better bet but it is not visible in the certsrv interface.

Do I assume Version 3 is more secure than version 2 than version 1, or do I just use version 1 for all normal uses?

CarolChi

Hi All,

 we have a cisco ASA and a windows 2008 r2 certificate authority.  We require our cisco vpn client users to have a user certificate installed on their remote PCs to authenticate with the cisco. ASA.

How do we setup High Availability for my CA? Our CAis running on our DC will that cause any issues?

Currently use this CA for Exchange. 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100413-asavpnclient-ca.html

AS

Hi all

First time posting here so hopefully someone can help me. I have installed a Windows 2012 R2 Essentials server operating systems on a new HP server.  The server, o/s, domain and Windows 8.1 pcs on the network were all installed from scratch recently (as it is a new company). The server has the event ID 4625 (audit failure - account failed to log on) in the security log on multiple occasions. After hours of researching I have finally found (via a network monitor trace) what I think is the network packet that is related to the event. It is a TLS packet from the Windows 8.1 machines onsite to the server. 

The description of the packet is TLS:TLS Rec Layer -1 Handshake: Certificate. Client Key Exchange. Certificate Verify

The packet makes reference to X509Cert: Issuer: <domain name>-<server name>-<CA>

When we setup the domain - we configured the 2012 Essentials to be a domain controller and just connected the machines to the domain using the server connection wizard (website). We don't have exchange onsite as they use Office 365. We didn't do any configuration with regards Certificates when the server was installed. Everything was left as out of the box.

It is not impacting day to day operations but can anyone explain why this might happen and how to resolve it?

Note: We are now experiencing the same thing at another client site where we just installed a new windows 2012 r2 essentials server. 

Here is the event log information (note the event log does not make any reference to the Windows 8 machine - only the server. The account name in the event properties is the server name with a dollar symbol at the end.)

dear support 

while login server locally its give me error acces is denied

Greetings, community!

We have Clustered CA configuration on Windows Server 2012 R2. It was configured by this instruction: http://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx

It works perfectly without any troubles, until I'd like to add new Certificate Template.

When I try to add/remove any Template to Issue, I get a error:

The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (Win32: 5 ERROR_ACCESS_DENIED )
The changes can be saved to Active Directory and retrieved by the CA next time it is started. Do you want to save the changes to Active Directory?

YES/NO

If I press Yes, the changes will be applied.

Same strange situation with add/remove rights to manage CA:

When I try to add any user,or change current rights on existing users, I get error:

The permissions could not be updated on the CA and have been saved to the registry. You must restart Active Directory Certificate Services for the changes to take effect.

Access is denied.0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

When I apply changes - they are correctly applied, but in  Application LogI get EventID 92 with text:

Active Directory Certificate Services could not update security permissions. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED).

I discovered that in instruction about CA Cluster configuring, we have some special steps:

Configuring_the_CA_in_Active_Directory

We should give all CA Custer nodes Full Access permissions on the CA Cluster Name in the Enrollment Services container.

So, when we change Manage Permissions, our nodes are disappear from Enrollment Services container, and Cluster CA nameappear there with Full Access rights. Then we have errors as I wrote above.

Strange, but same situation we have after restarting CA nodes. We don't add new Templates or change Manage CA rights very often, so I can't imagine when it happens first time.

Well, I have some questions:

1. Why It happens? Why CA nodes has been deleted and why CA Cluster Name has been created inthe CA Cluster Name in the Enrollment Services container rights pane?

2. Why CA Nodes are declined when they try to do something? If they are trying to do something from Node name, why they are rewriting rights permissions as CA Cluster Name?

3. What can I do to fix it? How to allow any connections to AD form CA Nodes as CA Cluster Name?

Same error, but no fixes:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/4d64b3ad-5f9d-4df1-90fe-9d4491ba3940/issue-new-certificate-templates-on-ca-windows-server-2008